Simulative Performance Evaluation of the ... - Semantic Scholar

1 downloads 628 Views 83KB Size Report
the network consists of several MSC areas (managed by a Mobile Switching ... is registered under a pseudonym, the network provider may know that a user ...
Simulative Performance Evaluation of the Temporary Pseudonym Method for Protecting Location Information in GSM Networks Peter Reichl, Dogan Kesdogan*, Klaus Junghärtchen, Marko Schuba Department of Computer Science • Informatik IV (Communication Systems) Aachen University of Technology • D-52056 Aachen • Germany {peter, dogan, klausj, marko}@i4.informatik.rwth-aachen.de

Abstract. The information about the location of a mobile user belongs to the most sensitive data within mobile communication networks. One possibility to protect it especially against curious insiders with access to the network consists of storing the actual information in so-called "home trusted devices" and using temporary pseudonyms for user registration in the network databases. This paper presents a detailed OPNET simulation and evaluation of the signalling cost of this approach compared to standard GSM.

1 Introduction In contrast to previous mobile communication networks, GSM offers a much higher level of security to its users and the network operator, e.g. by authentication and speech encryption procedures as well as the use of temporary identities protecting the user's privacy. Despite these features, there are some security weaknesses in the GSM standard, e.g. the issue of protecting location information about the user (as it is contained within the GSM signalling information). The temporary pseudonym method [11, 7] is one recent approach for protecting this rather sensitive information against attacks coming from inside the network (especially against corrupt network providers). This paper presents a thorough simulative investigation and performance evaluation of this method. GSM networks have roughly the following structure [13]: The total supply area of the network consists of several MSC areas (managed by a Mobile Switching Center MSC each) which are subdivided into several Location Areas LA (each of them managed by a Base Station Controler BSC), each being constituted of several cells, where a respective Base Transceiver Station BTS emits and receives radio waves in a certain frequency spectrum. The distributed location management consists of a central database, the Home Location Register HLR, containing the respective current MSC area of each user, whereas for each MSC area a local database, the Visitor Location Register VLR, contains the current LA in the respective MSC area. Each user moves within the supply area, and her mobility is managed by procedures for mobile originated (MO) calls setup, mobile terminated (MT) calls setup, Handover and Location Update (LU). The latter one is initiated by the Mobile Station (MS) while leaving one LA and entering a new one and performs the update of the user location information in the network databases (HLR and VLRs). The * The work of Dogan Kesdogan was supported by the Gottlieb Daimler- and Karl BenzFoundation

procedure is handled locally as soon as both LAs belong to the same MSC, otherwise the MSC of the new LA forwards the LU request to the HLR which thereupon cancels the record in the VLR of the old MSC and confirms the insertion of the new record in the VLR of the new MSC which in turn acknowledges the MS request. The so-called Gateway MSC (GMSC) allows to establish MT calls from the Public Switched Telephone Network PSTN to a GSM subscriber. In order to route the call to the MSC in whose area the MS of the respective user currently is roaming, the GMSC requests routing information from the HLR and the respective VLR. The MSC then manages the establishment of a radio connection between the MS and the BTS of the cell where the user currently is registred. There are already several different approaches for protecting the location of a mobile user (see [7] for a comprehensive overview). This paper focusses on the concept of "temporary pseudonyms", which has been developped in order to comply with the following demands: • the user location information should be protected as long as the user moves with the mobile switched on and no MT call arriving; • the implementation should avoid major changes of the GSM standard and should allow real-time communication; • the responsibility for sensitive data should be moved to the user as far as possible. Having introduced the idea of temporary pseudonyms in section 2, the following section 3 presents the results of a detailed OPNET simulation of the TP method compared to standard GSM signalling, before some concluding remarks finish the paper. Note that the companion paper [11] is much more focussed towards investigating this method analytically and discussing a generalization of it in depth.

2 The Method of Temporary Pseudonyms "Temporary Pseudonyms" (TP) have been proposed first in [9, 10]. The basic idea relies heavily on the concept of trusted parties: In the simplest case, this means that a Home Trusted Device (HTD) is used for storing sensitive data (authentication keys, location information etc.) or even handles the complete location management (thus replacing the VLR) confidentially. It is important to note that the HTD is completely under the control of the user. In the TP method, the trusted region is no longer used for saving the actual LAI of the user. Instead, the basic idea consists of protecting a mobile user's location information (within a mobile network) by protecting her identity. Hence, the user is assigned a pseudonym (Pseudo Mobile Subscriber Identity PMSI). As long as the user is registered under a pseudonym, the network provider may know that a user under a certain pseudonym currently is at a certain place, but he cannot connect the real identity of the user with her actual location. The pseudonym is generated time-synchronously in the MS and the HTD, i.e. both stations generate at the same time a random number by using identically parameterized random generators PRG (the seed for initializing the PRG must have previously been exchanged between MS and HTD). This random number works as an implicit address, i.e. as "identity" of the user, under which she may register in the data bases (HLR and VLR) of the mobile network. Within the procedures in the GSM network, the implicit address plays the role of the standard IMSI (International Mobile

Subscriber Identification Number). [5, 8] present a much more detailed discussion of implicit addressing. As soon as a call is arriving at the network, the HTD of the user (which is reachable e.g. through a fixed network like ISDN) is asked for the currently used pseudonym. This information allows the network provider to find out the necessary location information and to set up the call as usual. Note that the user remains anonymous as long as no call arrives for him from outside. If moreover the user uses prepaid phone cards, even MO calls may take place anonymously. Note that the user must not be assigned an unambiguous secret key in order to prevent the possibility of linking her often changing pseudonyms. Encryption of the data sent via the air interface during an MO call is guaranteed by the MS itself informing the network provider about the key that is used for communication. HLR PMSIA

VLR VLR PMSIA

LA

Trusted Device

t

MSISDN PMSIA :=PRG(kA,t )

PMSI_Insert

t PMSIA:=PRG(kA,t)

Fig. 1. Generation and insertion of a new pseudonym

Fig. 1 demonstrates how pseudonym changes between MS and HTD are performed in time-synchronous manner. Changing them exactly while changing the location area, i.e. by registering in the new location area under a different pseudonym (without cancelling the old one, because otherwise the two pseudonyms could be linked) might be the most efficient way, because then any information about a direction of the pseudonym is hidden. On the other hand, the user anonymity is lost (as e.g. a constant driving velocity yields constant pseudonym changes which can be linked). Note that it is not possible to directly inform the HTD about the pseudonym update as every message between the user and her HTD allows the user's identity to be combined with her location area. This may be solved by drawing the time between two changes from an exponential (memoryless) distribution. This approach moreover prevents situations in which the channel capacity of the mobile network might be exceeded as all users have to update their pseudonyms at the same time.

3 Simulation Results The TP method has been integrated into an existing GSM model for the simulation platform OPNET [3]. The model consists of the OPNET network layer for building the network topology, the OPNET node layer for modelling the data flow within net-

work components, and the OPNET process layer, in which the behaviour of the components is characterized by finite automatas. In this model, the main GSM hardware and signalling procedures are simulated (see fig. 2). Included are mobile stations (MS), base transceiver stations (BTS), base station controlers (BSC), mobile switching centers (MSC), visited location registers (VLR), home location registers (HLR), gateway mobile switching centers (GMSC) and the public switched telephone network (PSTN). Signalling has been modelled close to the GSM standard down to layer 3 of the protocol model. In addition to [3], packets sent over the SS7 network are piggybacked by appropriate packets of the lower layers TCAP, SCCP and MTP3. The simulation comprises the procedures Mobile Originated Call, Mobile Terminated Call, (Inter-BSC, Inter-MSC) Location Update, (Inter-BSC, Inter-MSC) Handover and Paging. Service handling and authentication are not integrated, in contrast to System Information and Measurement messages, which are evaluated for deciding on the initiation of location updates and handovers. The simulation area consists of 12 cells, 4 location areas, 2 MSC/VLRs and N = 21 mobile users. Each location area consists of 3 cells. Larger networks with up to 40 cells, 4 MSCs and 50 mobile users have been tested, the restriction to the smaller one is due to simulation duration and consistency of the results. The radius of the cells depends on the mobility scenario and has been chosen to be 1.5 km for a city scenario, 15 km for countryside, 10 km for "Autobahn" (i.e. German Highway) and 9 km for a mixed scenario. The mobility model for the MS has been implemented according to results from [2] who measured delays in bus traffic and found out that these delays could be modeled by an Erlang-4-distribution. The bus delays mainly occur due to the individual traffic sharing the roads with the buses. Though based on slightly different driving conditions (e.g. time schedule at every bus stop), the results can be transfered to individual traffic. Hence, the mean delay may be calculated as "perturbation" of the usual mean driving time according to (3.1) tmean = tmin + X Erl ⋅ tmin = (1 + X Erl ) ⋅ tmin where X Erl is drawn from an Erlang-4 distribution. This yields a mean simulated speed of v vmean = max . (3.2) 1 + X Erl This leads to the following mobility algorithm that is executed for every mobile node during the simulation: 1. Mobile users are distributed randomly across the simulation area. 2. Each mobile user draws a random destination from a uniform distribution. 3. Each mobile node has parameters indicating the real mean speed and the maximum speed. Thus the delay for part of the way and the simulated speed may be calculated. 4. At certain times each mobile node decides whether it performs a 90˚ turn towards the destination or not. The distance between these points and the turn probability are given as parameters and depend on the simulation scenario; they have been calculated based on typical respective scenarios in the region of Aachen. 5. The mobile node moves according to its calculated speed and direction. 6. If the destination is reached, a new destination as chosen according to step 2, and the algorithm continues from step 3 onwards.

Fig. 2. The OPNET model for the simulated GSM network

Note that the mean speed of mobile nodes has been assumed to be 10 km h in the city, 65 km h in the countryside, 100 km h in the "Autobahn" and 58 km h in the mixed scenario (cf. [12]). Measurements in real mobile networks [1] state that during the busy hour approximately 2 3 of the calls are mobile originated whereas 1 3 are mobile terminated calls. Measured mean call setup rates are around 0.45 calls/hour for mobile originated calls and 0.225 calls/hour for mobile terminated ones, yielding a global call interarrival time of about 5333 seconds. Furthermore, the mean duration of mobile terminated calls has been measured to be 115 seconds in contrast to 105 seconds for outgoing calls. According to [4, 6], call holding times as well as interarrival times may be drawn from exponential distributions. Finally, the length of the pseudonyms has been set to 100 bits, which is perfect for avoiding collisions between pseudonyms (as derived in [11]). 3.1 Variation of the Mobility Behaviour In this section it is demonstrated how changes in the mobility behaviour effect the load of the mobile network. To this end, the three scenarios "city", "countryside" and "Autobahn" are explored. The simulation parameters are given in table 1. Fig. 3 shows the total signalling load generated by one user in the mobile network. On the one hand, the network load depends strongly on the mobility environment of the user. A user in the countryside scenario with large location areas and medium speed causes less load than a user who is fast or moves in areas with small cell sizes. This demonstrates the influence of the rate of location area updates. On the other hand, the difference between the signaling in the GSM network and with

the TP method appears to increase proportionally to the mobility behaviour as well, being 75% in the countryside, 80% in the city and 96% in the Autobahn scenario. cell radius [km] speed [km/h] turning probability distance between two turns PMSI updates/h time between two PMSI updates [min] PMSI length [bit] call setup rate MO [attempts/h] time between two MO calls [min] call setup rate MT [attempts/h] time between two MT calls [min]

city 1.5 10 0.7 0.5 2.4 25

countryside 15 65 0.4 3.0 1.88 32 100 0.45 133 0.225 266

Autobahn 10 100 0.2 9.0 3.9 15

Table 1. Simulation parameters for variation of mobility behaviour

20.0

10.0 5.0 0.0

GSM (Location Update) TP (Location Update) TP (PMSI Insert) TP (PMSI Update)

1.5

Duration (s)

(bit/s)

15.0

2.0

GSM TP−Method

1.0

0.5

City

Country Autobahn Szenario

Fig. 3. Total network load in the three scenarios

0.0

City

Country Autobahn Szenario

Fig. 4. Mean duration of the procedures for location update and pseudonym change

The mean duration of the procedures for location update and pseudonym change is demonstrated in fig. 4. On the air interface the location update procedure uses the TMSI for either method. Thus the length of the PMSI here is of no influence at all. Within the SS7 network PCM30-connections are used. The 64 kbit/s speed of their signalling channel is high enough to prevent the location update delay from rising heavily. The PMSI Insertion procedure has to send one pseudonym across the air interface. Due to its length and the low rate of the dedicated signalling channel the duration of the procedure increases by 67%. Nevertheless it is not as time-critical as a handover procedure. Where does the high signalling load come from? The responsible factor turns out to be the share of the location update procedure, which is extended for the PMSI insertion procedure, in the global load. Fig. 5 left shows that in the chosen simulation environment the location updates (inter-MSC and inter-BSC) cause nearly 60% of the global load, whereas the low impact of the call procedures results from the call rates being adjusted to the values given in [1]. With the TP method being implemented, location updates and pseudonym insertions amount to 74% of the global load. The load increase under the TP method is caused by the concept of adapting the pseudonym

change rate to the location update rate in order to reveal as little as possible over the connection of a movement path and the corresponding pseudonym. Hence, increasing the location update rate yields a load increase under the TP method by the location update expense plus the pseudonym change expense. As we use a modified Inter-MSClocation-update procedure for changing pseudonyms, this corresponds approximately to double the expense. In ter MSC LocUp 1.89 = 38.0%

Inter BSC LocUp Paging 1.09 = 21.9% 0.29 = 5.9%

MO Call Start 0.88 = 17.7%

MT Call Start 0.52 = 10.4%

Handover MT Call End MO Call End 0.06 = 1.1% 0.08 = 1.6 % 0.17 = 3.4%

Inter MSC LocUp 1.95 = 21.1%

PMSI Insertion 3.65 = 39.6%

PMSI Updating 0.03 = 0.4%

MO Call Start Inter BSC LocUp 1.22 = 13.2% MT Call Start 1.15 = 12.4% Paging 0.61 = 6.6% 0.31 = 3.4% Handover MO Call End MT Call End 0.17 = 1.8% 0.06 = 0.7% 0.08 = 0.9 %

Fig. 5. Distribution of the global load w.r.t. the different GSM procedures (in bit/s) for the case of the city scenario

Fig. 6 shows the share of system information and measurement messages with respect to the total load. Note that system information messages are between 22 and 23 bytes long and cause – sent continuously every 0.235 seconds – more than 90% of the total load, whereas measurement messages are sent every 0.48 seconds and cause about 4% of the total load. System Information 460.2 = 95.3%

Measurement 17.5 = 3.6% Location Update 3.0 = 0.6%

others 2.0= 0.4%

System Information 459.6 = 94.7%

Measurement 16.4 = 3.4% Location Update 3.2 = 0.7%

PMSI Handling 3.7 = 0.8% others 2.4= 0.5%

Fig. 6. Load distribution to the different procedures for the GSM network (left) and the TP method (right) with system information and measurement messages

Fig. 7 finally presents the call setup time for incoming and outgoing calls. The call setup times for both kinds of calls coincide as long as no (public key encrypted) session key is sent from the mobile to the network. Conveying a session key causes a delay of 0.66 seconds per direction if sent over a dedicated signalling channel with netto bit rate of 782 bit/s. The pseudonym has to be sent twice with an initial message in order to prevent two users from accessing the same traffic channel: First a random number is sent from the user to the network which afterwards is contained in the answer of the network to indicate that the user is now owner of the channel which is assigned by the network. Then the initial message is sent "piggybacked" to a layer 2 LAPDm SABM-message which is answered by an exact copy of it within an LAPDm UA-message (see [13]). If the mobile does not receive an exact copy of its initial message, it has to clear the connection.

5.0 GSM (MO Call Setup) TP (MO Call Setup) GSM (MT Call Setup) TP (MT Call Setup)

2.0

1.0

0.0

City

Country Autobahn Szenario

Call Setup Time (s)

Call Setup Time (s)

3.0

GSM (MO Call Setup) TP (MO Call Setup) GSM (MT Call Setup) TP (MT Call Setup)

4.0 3.0 2.0 1.0 0.0

City

Country Autobahn Szenario

Fig. 7. Duration of the Call Setup without (left) and with (right) encrypting a session key for Mobile Originated calls

3.2 Variation of the Pseudonym Length This section deals with the influence of the pseudonym length to the signalling load in the mobile network. The signalling under the TP method is compared to standard GSM signalling. Moreover it is investigated how the load behaves if instead of the TMSI (Temporary Mobile Subscriber Identity as used in standard GSM) in all relevant signalling messages the IMSI or the PMSI, resp., are used. The mobility behaviour and pseudonym change rates are modelled as averages over the values shown in the last section. The important parameters are listed in table 2. Lenght of PMSI cell radius [km] speed [km/h] turning probability distance between two turns PMSI updates/h time between two PMSI updates [min] call setup rate MO [attempts/h] time between two MO calls [min] call setup rate MT [attempts/h] time between two MT calls [min]

50 bits, 100 bits, 200 bits, 600 bits 9 58 0.43 0.5 6 10 1.2 50 0.6 100

Table 2. Simulation parameters for variation of pseudonym length

As in the previous section, the TP method shows again a significant load increase in the different scenarios compared to the signalling expense of standard GSM. Fig. 8 left shows for example that the total network load is doubled. Moreover, the load varies linearly with the pseudonym length. Note that a pseudonym length of 600 bits has only be simulated to demonstrate the trend of the load development. It may be shown [7, 11] that in fact a pseudonym length of 70 bits is sufficient for preventing two users from choosing the same pseudonym.

4.0

30.0 25.0

3.0

Duration (s)

(Bit/s)

20.0 15.0 10.0

GSM TP−Method

GSM (Location Update) TP (Location Update) TP (PMSI−Insert)

2.0

1.0

5.0 GSM

0.0

0.0

100.0 200.0 300.0 400.0 500.0 600.0

0.0 0.0

PMSI Length (Bit)

200.0 400.0 PMSI Length

600.0

Fig. 8. Global load (left) and duration for location update and PMSI insertion (right), depending on the length of the pseudonym

The duration of location update and call setup procedures does not depend on the length of the pseudonym as shown in fig. 8 right, the reason being that the location update and call setup procedures use the TMSI while sending messages on the air interface; only in the fixed network with its much higher transmission capacity GSM uses IMSI, whereas TP uses PMSI. In contrast, the duration of the PMSI insertion procedure is heavily depending on the PMSI length, as the new PMSI has to be transmitted on the air interface, where e.g. 100 bits long pseudonyms delay the insertion by 128 ms. 3.3 Variation of Pseudonym Change Rate This section explores the influence of the pseudonym change rate on the load of the GSM network. We have investigated pseudonym change intervals from two minutes up to one hour. The mobility and call model is the same as in the previous section. The parameters correspond to those of table 2 for a PMSI length of 100 bits except for those listed in table 3. PMSI updates/hour time between two PMSI updates [min]

30 2

6 10

2 30

1 60

Table 3. Simulation parameters for variation of pseudonym change rates

Fig. 9 left shows that the shorter the interval between two pseudonym changes, the larger the increase in the global load and vice versa. Note that the load may be influenced to a much larger extent than e.g. by the call rate (or PMSI length, as further experiments have shown). Fig. 9 right demonstrates how the PMSI insertion procedure becomes more and more responsible for the total network load: For the time between two PMSI changes being 600 sec (corresponding to 6 changes/hour) the insertion causes 47% whereas for a time of 120 sec between two changes (i.e. 30 changes/hour) this share is already approximately 81%. The reason for this lies in the "length" of the PMSI insertion procedure (i.e. the sum of lengths of all respective messages) which is a couple of times the length of the PMSI. Hence it can be concluded that increasing the PMSI exchange rate has much more effect than prolonging the PMSI.

60.0

50.0 GSM TP−Method

50.0

40.0

(Bit/s)

(Bit/s)

40.0 30.0 20.0

20.0 10.0

10.0 0.0 0.0

30.0

0.0 0.0

1000.0 2000.0 3000.0 4000.0 Time between two PMSI−changes (s)

1000.0 2000.0 3000.0 4000.0 Time between two PMSI−changes (s)

Fig. 9. Global load for different PMSI change rates (left) and load caused by the PMSI insertion procedure (right)

Fig. 10 shows the distribution of the total load at the different GSM interfaces. Obviously, the air interface Um is affected most by the signalling of a user. As the dedicated signalling channels at the air interface are assigned exclusively to the users, whereas the signalling messages of all users use the ressources of the same SS7 network, the load in the SS7 network must be viewed in relation to the user number. A load increase of 0.1 bit/s (as caused by increasing the pseudonym change rate from 2 to 6 changes/hour) increases the total load in the SS7 network for a user number of 1 million by approximately 98 Kbit/s. 30.0

120 s 600 s 1800 s 3600 s

10.0

0.0

Um

Abis

A

MAPx MAPhlr

Fig. 10. Load at different air interfaces for different pseudonym change rates

Number of entries in HLR

(Bit/s)

20.0

80.0 120 s 600 s 1800 s 3600 s

70.0 60.0

TP−Method GSM

50.0 40.0 30.0 20.0 10.0 0.0 0.0

1000.0 2000.0 3000.0 4000.0 Time between two PMSI−changes (s)

Fig. 11. Average number of entries in the HLR database

Finally, the average number A of entries in the HLR has been simulated. In [11], we have derived analytically that for the case of our TP scenario, A = 2 ⋅ N (N being the number of active users, 21 in our case), i.e. double the value as in standard GSM. Fig. 11 shows the close matching between theoretical prediction and measurement. The slight increase for the case of very high pseudonym change rates is caused by an artifact: Drawing the TTL from an exponential distribution one may get values of under some seconds, which in turn may cause the deletion of a pseudonym during an ongoing signalling procedure due to normal transmission delay and possible high signalling traffic in the network. To avoid simulation errors, the minimum TTL has been set to values between 2 and 10 seconds, thus guaranteeing that the use of a pseudonym is finished before it is deleted. Therefore, increasing pseudonym update rates may

yield new pseudonyms arriving faster than they can be served (i.e. deleted), thus causing an increasing number of entries in the database. 3.4 Variation of the Call Rate In this section the effect of varying the call attempt rate is investigated. The ratio between outgoing and incoming calls is assumed to be 2:1. The parameter values of table 3 remain unchanged except for the ones listed in table 4. Note that the sending of a transmission key is neglected here. call setup rate MO [attempts/h] time between two MO calls [min] call setup rate MT [attempts/h] time between two MT calls [min] average time between call attempts [sec] PMSI updates/hour

4 15 2 30 600

2.4 25 1.2 50 1000

1.6 38 0.8 75 1500

1.2 50 0.6 100 2000

6

Table 4. Simulation parameters for variation of call attempt rates

Fig. 12 shows two characteristic results. It may be concluded that the total network load as well as the load on the HLR interfaces increases with the rate of arriving calls. The increase is equal for the GSM network and the TP method, hence the request at the user's HTD does not matter because of the high transmission rates. 4.0

40.0 GSM TP (PMSI 100 Bit) TP (PMSI 200 Bit)

3.0

(Bit/s)

(Bit/s)

30.0

20.0

GSM TP (PMSI 100 Bit) TP (PMSI 200 Bit)

1.0

10.0

0.0 500.0

2.0

1000.0

1500.0

2000.0

Time between two call setups (s)

0.0 500.0

1000.0

1500.0

2000.0

Time between two call setups (s)

Fig. 12. Global load for varying call attempt rates (left) and load on the HLR interface (right)

4 Concluding Remarks This paper has dealt with the question of how to protect information about user location against insider attackers in a GSM network. It has been demonstrated that the TP method yields feasible solutions to this problem by hiding the relation between user identity and location with pseudonyms whose unavoidable changes can be protected from being linked together by an attacker. The performance aspects of this approach have been thoroughly investigated by a detailed OPNET simulation and evaluation that has dealt with the influence of mobility behaviour, pseudonym length, their change rate and the call setup rate on the performance of the method.

References 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

11. 12. 13.

Brass, V.; Fuhrmann, W. F.: Traffic Engineering Experience from Operating Cellular Networks. IEEE Communication Magazine, August 1997, 66–71. Dauber, F.-J.: QoS Parameters of Bus Traffic with respect to Time-Tables and Subsequent Variability. Ph.D. Thesis (in German). Aachen University of Technology, July 1986. Institute Eurecom, Delta Partners: A GSM OPNET Model (incl. documentation). © 1994–95. Fuhrmann, W.; Brass, V.: Performance Aspects of the GSM Radio Subsystem. Proceedings of the IEEE, vol. 82 no. 9, 1994, 1449–1466. Farber, D. J.; Larson, K. C.: Network Security via Dynamic Process Renaming. Proceedings of the 4th Data Communications Symposion, Quebec (Canada), Oct. 1975, 8/13–8/18. Guérin, Roch A.: Channel Occupancy Time Distribution in a Cellular Radio System. IEEE Transactions on Vehicular Technology, vol. VT-35 no. 3, 1987, 89–99. Junghärtchen, K.: Simulative Investigation of Methods for Protecting Location Information in Mobile Networks. Diploma Thesis. Aachen University of Technology, November 1997 (in German). Karger, P. A.: Non-Discretionary Access Control for Decentralized Computing Systems. M.Sc. Thesis, Techn. Report MIT/LCS/TR-179, MIT 1975. Kesdogan, D.; Fouletier, X.: Secure Location Information Management in Cellular Radio Systems. Proceedings of the IEEE Wireless Communication Systems Symposion WCSS'95, Long Island, 1995, 35–46. Kesdogan, D.; Federrath, H.; Jerichow, A.; Pfitzmann, A.: Location Management Strategies increasing Privacy in Mobile Communication Systems. Proceedings of the 12th IFIP International Information Security Conference SEC'96, May 1996 (Chapman & Hall). Kesdogan, D.; Reichl, P.; Junghärtchen, K.: Distributed Temporary Pseudonyms: A New Approach for Protecting Location Information in Mobile Communication Networks. Proceedings of ESORICS'98. Louvain, Sept. 1998 (Springer LNCS). Lyberopoulos, G. L.; Markoulidakis, J. G.; Polymeros, D. F. et al.: Intelligent Paging Strategies for Third Generation Mobile Telecommunication Systems. IEEE Transactions on Vehicular Technology, vol. 44 no. 3, August 1995, 543–553. Mouly, M.; Pautet, M. B.: The GSM System for Mobile Communication. Published by the authors, 4, rue Elisée Reclus, F-91120 Palaiseau, France.